Saturday, December 6, 2014

I've been exploring HTTP encryption configurations lately on an industry-scale using an automated SSL/TLS scanner that I wrote based on OpenSSL and SSLScan. Here are the SSL/TLS configurations of the top 25 US banks. It is good to note that just about everyone seems to have their crypto-house in order.

Observation: The majority of banks only support TLS - no SSL. The remaining support SSLv3 and TLS. No SSLv2.

Observation: No key lengths less than 128-bit. This is good. Over time, I expect that we'll see a decrease in 128-bit keys and an increase in 256-bit keys.